Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Best practice: DNS location

To: Will Schwartz <[email protected]>
Subject: Re: [FW1] Best practice: DNS location
From: [email protected]
Date: Fri, 13 Oct 2000 10:19:25 -0400
Cc: [email protected]
References: <[email protected]>
Sender: [email protected]

Well,

SANS Instute tops the dns attack in the top ten list of vulnerabilities.
http://www.sans.org/topten.htm

You check this link out;
http://packetstorm.securify.com/exploits/apps/bind/

If you refer to the book "DNS & BIND, second edition"by Cricket Liu & Paul Albitz,
and you READ chapter 10 "Advanced Features and Security" CAREFULLY, you can
properly secure your dns server.Of course, you must installe the last version of
bind, it's like any other product, you must keep up to date for many reason, like
security!!

Now, where you will place your dns server, bah...on a firewall or a dedicate
machine, can you install the last version of bind on a NT machine( the firewall is
on a NT machine)? if not you can put it on a dedicate machine. Of course on a
screened network...or a dmz.....

- Dan
Will Schwartz wrote:

> I would have your public DNS on a DMZ. I would house your private DNS on the
> LAN. The Public DNS should only contain the DNS records that you absolutely
> need to run, your internal DNS can have the rest. No one should connect to
> your internal DNS from the outside. You can setup a forwarding on your
> internal DNS to query your external DNS. I would never run DNS on a
> firewall, it is too insecure. One of the most common things to hack is DNS.
> I would dedicate a machine to it.
>
> HTH
> ~will
>
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]]On Behalf Of
> Chinnery Paul
> Sent: Thursday, October 12, 2000 3:22 PM
> To: [email protected]
> Subject: [FW1] Best practice: DNS location
>
> Currently using FW 4.0 on an NT 4.0 network.
> Our ISP wants us to install our own DNS and use them as secondary.
> My question is where the DNS should be:  should it be on our firewall server
> or on our internal network.  We are using NAT.
>
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- Re: [FW1] Best practice: DNS location
  - From: [email protected]

References:
- RE: [FW1] Best practice: DNS location
  - From: "Will Schwartz" <[email protected]>

Prev by Date: Re: [FW1] Adding new modules to management station - risks with Putkey?
Next by Date: Re: [FW1] Best practice: DNS location
Previous by thread: RE: [FW1] Best practice: DNS location
Next by thread: Re: [FW1] Best practice: DNS location
Index(es):
- Date
- Thread